11

I'm looking for a way to dump pcap of network data generated by an application, in a simmilar way strace dumps syscalls, etc. eg:

net-strace somecommand -args

somecommand would do something over the network, and net-strace would save a pcap dump of all the traffic generated by that app (+ replies and related traffic).

Can this be achieved?

gesti
  • 111
  • 1
  • 3
  • The problem is that applications don't send packets (except those using raw sockets like ping) but use a networking API that causes the kernel to send packets (and receive related one) on their behalf. – Stéphane Chazelas Dec 18 '14 at 13:22
  • Yes, but there are applications (eg proxychains - http://proxychains.sourceforge.net/ ) which run all application data through a proxy. Don't know how they do it, but they can capture it and send it through a proxy. Maybe if there is a simple proxy (run locally), which can dump pcap, proxychains+proxy combo can be used for obtaining the dump. – gesti Dec 18 '14 at 13:28
  • They're are more likely hijacking the API (with LD_PRELOAD) than the packets. Having said that, one might be able to inject some setsockopt(SO_MARK) into applications and use netfilter to log the packets to ulog. – Stéphane Chazelas Dec 18 '14 at 13:33
  • 3
    Create a new network namespace for the application and capture all traffic in there may be an acceptable approach for some use cases as well. – Stéphane Chazelas Dec 18 '14 at 13:36

2 Answers2

3

How about using strace itself?

strace -f -e trace=network -o output_file -s 10000 somecommand -args
Christian Long
  • 153
  • 1
  • 7
  • The command line you gave appears to only show DNS requests. strace's -e option frequently doesn't select what you actually want. – Robin Green Sep 12 '15 at 18:20
2

You may dump application generated traffic by different methods:

If you know the ports the application is using, you can run tcpdump or wireshark with specific filtering rules for these ports.

If that is not an option, you may mark application packets using an iptables rule, matching the owner of the process. You may need to create a new user account to completely isolate the process. Then you can capture the traffic that only matches the rule.

You may find more complete information on this related topic: https://askubuntu.com/questions/11709/how-can-i-capture-network-traffic-of-a-single-process

You may also find interesting this program tracedump as stated by previous topic. http://mutrics.iitis.pl/tracedump

Community
  • 1
almlys
  • 106